The current pam_musclecard already allow smartcard login locally, I used my x509 cert in in my musclecard to logon my linux box. It is simple and fast. I've look at the effort in smartcard_login and smartcard_netlogin and could not use it. One of the key issues is able to have a PKCS11 stack so the browsers and other applications can take advantage it. Currently, only Musclecard framework offers multi-vendor cards and PKCS11 on a unix platform. On the network logon, I would prefer a PKINIT approach. It is on the IETF standard track for a long time and Microsoft has implemented the draft-9. There is also an early implementation in Heimdal. Checking the network credential is not trivial, one need to consider how to login if the network is not available (off-line) and network not directly reachable (behind firewall/NAT). Can one trust the network (man of the middle attack)?
-peter huang > -----Original Message----- > From: Sean Atkinson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 18, 2002 1:52 AM > To: [EMAIL PROTECTED] > Subject: Re: [Muscle] login locally in Linux using smartcard > > > Hi, > > > I want to enable Linux to login locally or LTSP with > smartcard. But first > > i will try to login locally. Getty always prompt the login > prompt and all > > the processes next will be sent to login program. > > Apologies if I've missed the point of your mail, but I > thought my experiences may be of interest. I've successfully > installed smartcard_login > (http://home.zhwin.ch/~sri/smartcard_login/) and configured > almost all PAM applications (including login) to require > users to validate their password with a Schlumberger > Cryptoflex 16K smart card. However I'd recommend buying > Cyberflex cards instead, since they support multiple users > per card (e.g. handy for a root account). > > I'm also interested in network logins, and if my > understanding's correct LTSP could be configured to use > NIS/LDAP logins with the netwrok-enabled package > smartcard_netlogin > (http://home.zhwin.ch/~sri/smartcard_netlogin/), so it's > probably worth looking into that. > > HTH, > > Sean Atkinson. > > -- > __________________________________________________________ > Sign-up for your own FREE Personalized E-mail at Mail.com > http://www.mail.com/?sr=signup > > _______________________________________________ > Muscle mailing list > [EMAIL PROTECTED] > http://lists.musclecard.com/mailman/listinfo/muscle > _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
